Surveillance and Security Cameras

1

#2014-1004-04

Remote Code Execution Vulnerability in BASH Interpreter

Oct 1, 2014

Background

The ShellShock bug is a group of serious vulnerabilities in the popular BASH shell interpreter. It is also widespread, existing in most Linux-based products. Since the initial vulnerability was first announced and patched, new aspects of the vulnerability have been discovered. These are being tracked as CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.

The flaw involves improper processing of environment variables. In certain configurations, the ShellShock vulnerability may allow an unauthenticated remote attacker to execute malicious code on a targeted system. Of particular concern are services that receive a request via HTTP and use BASH to execute commands on the server. In some configurations, this vulnerability could be used to install malware on a server. Independent reports indicate that vulnerable systems are being targeted and compromised to be used in botnets.

Summary

Mitel is monitoring this dynamic situation very carefully. We are conducting a thorough investigation of its entire portfolio to ascertain which of our products may be susceptible. This security advisory will be updated as new information emerges and as our investigation progresses.